State of the Art Post Exploitation in Hardened PHP Environments
August 12th, 2009 | by Stefan Esser |
I am finally back in germany after several weeks in foreign countries like singapore, taiwan and the USA. In all three countries I gave a presentation titled “State of the Art Post Exploitation in Hardened PHP Environments” that discusses a certain flaw in the design of the Zend Engine that allows the development of very stable local exploits against PHP. Within the presentation two (no longer) 0 day exploits are discussed and it is demonstrated how they can be used to get arbitrary read and write access to the memory of PHP, which enables a PHP script to break out of some of the common protections you will see on hardened PHP installations. Find below the slides and the whitepaper sent to Blackhat.
6 Responses to “State of the Art Post Exploitation in Hardened PHP Environments”
By msakamoto-sf on Aug 12, 2009 | Reply
Greate jobs …!!
Thank you very much.
By blizzy on Aug 12, 2009 | Reply
Will there be the new release of suhosin for PHP 5.3 soon?
By Stas on Aug 18, 2009 | Reply
rev. 287466 in SVN should fix the by-ref issue.
By Stefan Esser on Aug 19, 2009 | Reply
@Stas
I haven’t tested it yet, but from looking at the code you disabled call-by-ref for internal functions. This should fix the explode(), trim(), strtok(), … and the hundreds of other exploits relying on it. Great.
However the usort() fix can be bypassed, because it is possible to modify arrays without triggering the copy on write “protection”.
And there are still lots of other places where user space interruption is possible.
By Home Security on Nov 12, 2009 | Reply
Whoa. That was quite a long read. Thanks for putting those 2 up. It’s okay if I save them for reference, right?
By Michael Kalish Artwork on Dec 28, 2009 | Reply
I’m wondering how exploitable Zend is versus Ioncube. Thanks for posting this I’m sure it’ll be a good read.